The following knowledgebase will tell you how you can check what all programs will run when user has logged on to the computer.
When user logs on to the computer the Winlogon service will use the following registry entry to run any programs (if specified):
HKLM\Software\Micrsofot\Windows\CurrentVersion\Run
HKLM\Software\Micrsofot\Windows\CurrentVersion\RunOnce
The above two registry entries are used by Winlogon service after user has logged on to the system successfully. The Winlogon service will create a list of programs to run.
Please note that domain policy may override this setting if specified. You can also use Group Policy settings to block any program to run.
You can use the following script to check the programs in Run or RunOnce registry key on remote computer.
*** Start ***
@echo off
Set RegQry=HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Set RegQry1=HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
REG.exe Query \\remote_computer\%RegQry% > CheckRun.txt
REG.exe Query \\remote_computer\%RegQry1% > CheckRunOnce.txt
Echo Programs on Computer : Remote_Computer >> Programs.txt
For /F “Skip=5 Tokens=*” %%a In (CheckRun.txt) Do (
Echo %%a >> Programs.txt
)
For /F “Skip=5 Tokens=*” %%a In (CheckRunOnce.txt) Do (
Echo %%a >> Programs.txt
)
*** End ***
You can use PSEXEC (a tool from Sysinternals) to run this script remotely and then redirect the output in a Text file.